Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security - med] Cross-Domain Misconfiguration zap alert #833

Closed
rpoet-jh opened this issue Nov 21, 2023 · 0 comments · Fixed by eclipse-pass/pass-docker#360
Closed

[Security - med] Cross-Domain Misconfiguration zap alert #833

rpoet-jh opened this issue Nov 21, 2023 · 0 comments · Fixed by eclipse-pass/pass-docker#360
Assignees
@rpoet-jh
Labels
security
Milestone
1.3.0

Comments

@rpoet-jh
Copy link
Contributor

rpoet-jh commented Nov 21, 2023
edited
Loading

Risk: Medium

Many urls, both /app* and /data* urls

Access-Control-Allow-Origin: *

Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server

The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.

Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).
Configure the "Access-Control-Allow-Origin" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.
@rpoet-jh rpoet-jh converted this from a draft issue Nov 21, 2023
@rpoet-jh rpoet-jh mentioned this issue Nov 21, 2023
Closed
@dkriethof dkriethof changed the title [Security] Cross-Domain Misconfiguration zap alert [Security - med] Cross-Domain Misconfiguration zap alert Nov 29, 2023
@rpoet-jh rpoet-jh added this to the 1.3.0 milestone Nov 29, 2023
@rpoet-jh rpoet-jh self-assigned this Nov 29, 2023
@rpoet-jh rpoet-jh moved this from Backlog to In Progress in Eclipse PASS Nov 29, 2023
@rpoet-jh rpoet-jh moved this from In Progress to Peer Review/QA in Eclipse PASS Dec 5, 2023
@rpoet-jh rpoet-jh moved this from Peer Review/QA to Done in Eclipse PASS Dec 12, 2023
@rpoet-jh rpoet-jh linked a pull request Dec 12, 2023 that will close this issue
Change CORS Access Control headers in proxy server eclipse-pass/pass-docker#360
Merged
@dkriethof dkriethof moved this from Done to Deployed in Eclipse PASS Feb 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rpoet-jh rpoet-jh

Labels
security
Projects
Eclipse PASS
Archived in project
Milestone
1.3.0
Development

Successfully merging a pull request may close this issue.

Change CORS Access Control headers in proxy server eclipse-pass/pass-docker
1 participant
@rpoet-jh